Posted
by
Cliff
on Thursday January 04, 2001 @12:58PM
from the doing-it-right dept.

nlh asks: "I'm one of the founders of TruExchange, a small software company in the Boston area. We've just closed a major round of funding and are going through some VC-inspired (ok, VC-mandated) changes and maturations. One of these is the creation of a formal Employee Handbook, which will contain the all-important company Privacy Policy, among other things. The other founders and I are in the fortunate positions of being active Slashdot readers and of having a good deal of say in the creation of these policies. I wanted to get a feel from the Slashdot community about the best way to implement them (before it's too late)."

"From the employee's position, it's easy to scoff at the fascist-sounding stuff we read on here regularly ('We can and will see and hear everything you do when and if we want to.') but as a 'responsible' member of the management team, I have to take into consideration the legal ramifications of NOT reserving such rights. If we think someone is keeping a gun in his desk, we want to be able to check it. If someone is harassing people from our email system, we want to be able to verify it. What I don't want, however, is the creation of a police state (be it on paper or otherwise).

I'd like to come up with a healthy compromise -- We want to create a policy that shows our 'user friendliness', yet we must please the big VCs and protect ourselves as a corporation. We want to say 'We respect your privacy and will make every effort not to monitor you, but we reserve the right to do so.' Is such a compromise possible? What should a reasonable privacy policy say (and how should it be said?) Where does the line between 'employer covering its ass' and 'fascist bastards' get drawn?"

You sound like you want to hire an "expert" to construct a work environment that will be just barely tolerable enough that people won't refuse to leave.

Well that sucks! Let's see... I'll take a job wher the commute irritates me just slightly less than the amount than would cause me to go elsewhere. The pay will be just barely tolerable for me to live on, and the company policies will make me unhappy, but not so unhappy that i'll actually get up and leave. What a way to live. Ugh.

2. The more sinister "big brother" research agencies (think: The Economic League), the kind that will stop you getting a managerial job at a FTSE-100 company because you once attended a protest march at college, keep everything controversial on paper, to which the DPA doesn't apply, and only store basic index data electronically - it makes their work a lot harder but when they charge a couple of grand a go it doesn't matter.

The Data Protection Act 1998 does apply to paper based records. This was one of the changes over the 1984 Act.

Currently, my company is also going through the process of creating a privacy policy. The draft versions were, as expected, rough and in need of a great deal of modifications- both legal and procedureal.

One of the best elements to our process was the fact that employees were asked their opinions as the policy was written. This sort of iterative feedback not only created awareness and buy-in, but it also created a more rational set of policies.

What I learned: It might be useful to import some of the old software development techniques into the creation of corporate documents.

This is the type of policy that I would personally recomend. Put simply....

"It is our policy to NOT read email or monitor network traffic unless there is suspicoun of wrongdoing"

I have seen other policies like this. My own employers Drug Testing policy is like that "We test if we have reason to suspect that a person is using drugs during work hours" or some similar wording (too lazy to get the specific wording)

(if it were a policy of random or manditory testing I would have never come work here)

Unless there are legitimate complaints of wrongdoing... then its all good isn't it?

I would also encourage people to have and allow them to easily access personal email accouns from work machines... that way they can more easily keep personal and professional email seprate

Not sure that I follow that last point. Because disturbing stuff is found when searches at irregular times are conducted, searches at irregular times should be outlawed?!?
Wouldn't the (contradiction alert! 3..2..1)smart user just wait for those unmonitored periods to send death threats to the President or whatever?

As the ISP division of a multi faceted company (the others are Telco, Cable, and Newspapers), we were presented with a corporate policy on computer use recently.
Being in charge of Technical Support, and having to support the full variety of e-mail/news clients and browsers, entailed much downloading of software. Several times, due to the corporate nature of the purchasing policy, we had to resort to the newsgroups for copies of OS releases to stay ahead of the customers.
The point being that the policy strictly forbade the downloading of software without written corporate approval, as well as the stipulation that at no time would any employee use a program other than one officially supplied by the company, including free programs, such as Eudora Light (the one we recommend to our customers who cannot fathom the depths of Outlook Express, or keep it working).
Though we managed to get exemptions for those employees who needed this sort of access, ALL new employees are signing this form when they pass through HR. So, technically, all of our recent hires are breaking company policy and may be fired at any time.
This all came down as policy from a group of corporate lawyers who have not a clue what computer use and support entails. HELL! we do not even support any OS other than Windoze and MAC! so we need to download software on a regular basis since we do not support any OS that is truly stable! (ever tried an M$ product on the MAC?!?!?).
You seem to be on the right track with your intentions and it sounds as though you will manage to strike the balance between corporate responsibility and privacy, on that count I wish you the best, and ask that you share with us the results of your work. It just may be that another company may benefit from the work you do here.
Modern Celt
"The way you think it is may not be the way it is at all"
St. Oran

Weren't there some cases recently where people were applying under the FOIA (in the US) to get access to web browser histories and/or firewall & proxy logs for government employees? I know there was one trying to get the logs of what sites students had been visiting.

If those were decided in favor of releasing histories, caches and other logs, you might throw something about that into your policy as well.

As posted here before, there should be some form of "just cause" before searching through emails or web traffic. I wouldn't sit around on a Tuesday afternoon and browse the web logs looking for suspicious sites. Instead, if there is a legitimate complaint (for example, some has a bunch of porn on their screen) then it would be permissible to investigate the logs.

The same idea hold for emails too. Unless someone tells management that they're being harassed or threatened, there isn't any reason to read through them.

I would also suggest some statue of limitations (nothing after 60 days, for example). This prevents the situation where someone gets mad because somebody else got the promotion and suddenly decides that the off-color joke they sent last year was harassment.

If you think there is a gun in somebody's desk, then maybe you should call the cops. Or, if you want to handle it yourselves, then go over there and look in the desk. What is the employee going to say? "Hey, it doesn't say you can do that in the privacy policy. Don't do it, or I'll sue." Don't be such a management wimp. You think you need a written policy for everything? Ha ha ha.

I used to work in the corporate offices of a major retail company in the Midwest. The policy we enacted, which really seemed quite fair, was that all employees signed a paper which stated that the powers that be *do* have the security to look at email, but will not do so without a just cause, such as a serious complaint or court order. Email would not just be looked at to spy on the end user, or to do a witch hunt, per se. That was all fine and good for email and really worked out well. This was the same company, however, that sent logs of everyones web browsing hits to auditing for review, and looked at *everyone's* logs, whining when someone went over some pre-concieved limit on browsing (always nailed me because I was the most web fluent in my department, always being asked to find some kind of info, and because when I browse, I always open multiple windows).

Perhaps if invasion of emplyees' privacy (assuming they have any) cost management something, they would be more carefull about when they do it. Don't make it so bad they're afraid/can't afford to investigate; just prevent it from becoming an everyday thing. I know, easier said than done.

[paraphrase - If I use my company account to send scam mail why is my company liable for it?]

You company is liable because you sending email to other people within the company might be construed as company business and therefore their legal responsibility. If my ISP can send me bills only by email, it can change it's terms and conditions by email then it can certainly be held responsible for the email it sends. I can't refuse to pay the bill just because it was emailed to me instead of posted.

'You won't mind us poking around... unless of course you have something to hide'. Now, I think that's perfectly fair. Search his locker for fun. NFS mount his harddisk and see if he's storing child/goat pornography. Find out what he's really doing when he's 'working late'. No wonder that last Latte tasted funny. But really, What kind of privacy to employees need? Of course, routine strip searches might not work in your favour, ask, well, people don't like strip searches. Except those that do, so you could try to amass a staff of perverts.

But I digress. I should be pontificating on that wonderous subject of privacy in the office. Well, do your employees have something to hide? Has John been asking about 'when the privacy policy will be in'?. If so, maybe you should do a cavity search before Section II.445 says 'NO cavity searches without a warrant'. I watch Law & Order you know. It's sickening what they get away with, all beause they 'need a warrant', or they 'beat out the confession', or they 'didn't adhere to proper corpse handling procedures.'. Just sick.

And you know where a fine programme such as Law & Order gets its ideas, right? Real life. So let's have an upstanding privacy policy. In fact the employees should assume they're being monitored anyways. After all, anything they keep private could be degrading the company service. Do you really want to sacrifice $$$$$ for 'employee privacy' and funny tasting Lattes? I certainly wouldn't. But that's me, I'd put profits befopre my employees, after all, they're a dime a dozen, especially if I'm not running a business that requires thought, such as a sweat shop.

You know, I don't want to go off on a tagent here, but, have you considered modelling your workplace after a sweatshop? I'm sure there are many fine corporations that can attest to their power and efficiency... And no icky crap about 'employee privacy' to worry about...

Or you could just employee trained monkeys, rendering the whole thing moot...

A large part of why you want to have a monitoring policy is the deterrent effect. That is, people will avoid doing questionable things just because they know you might be monitoring them. This is a win-win: the company avoids having to enforce anything, or even review anything, and the employees just keep their noses clean, fearing being caught doing something nasty.

Well, your statement is rather diametral to just about everything I said. The model you propose is based on distrust and fear and knowing how and when you might get spanked and why can absolutely be openly communicated without missing out on the deterring effect, examples ?

You have a lot of permanently installed traffic cameras in Europe (red lights, speed). The installation is a grey box which might or might not contain an actual camera. Although every driver knows how and where he might get caught, the system has an extremely preventive effect. 90% of all boxes are empty at all times, but would you gamble your license even if the mathematics (1:10 chance of getting caught) are on your side ?

I am sure that M$ has some great privacy policies in thier employee hand book. Just copy them verbatim. I am sure that no one will mind and then you have a great open minded gestapo hand book.

Keep them in line with fear!
We reserve the right to check your possesions, mail, and court records, for any damn reason we choose. Including but not limited to, our own damn amusment for christmas parties.

It's about efficiency. Hire an expert. Someone who knows for each risk what the probability of being nailed on it is and the downside of such an eventuality. Then look at it from the other side; what percentage of qualified engineers will balk at a given level of draconianity (I just made up a word!) and how does that affect your bottom line vs more risk and more productive personnel?

The researchers and experts exist, you just have to be willing to pay for their time. It's the exact same situation as hiring an ergonomics expert to decrease the probability of a permanent disability claim.

We keep the hell out of your stuff. If you break the law, on your own head be it, we assume no responsibility.

Do you really think it works that way? You can't relieve yourself of liability just by saying so in some sort of Bart Simpson "I'm just waving my arms and walking forward and if my hand happens to hit your face then it's not my fault" kind of deal. Hell, if you could I'd just get a "Look Out -- Scary Driver" sign and drop my car insurance.

I agree with you, and really wish that I could work for a company that had such a relaxed tone with it's employees. I used to, and yes, they got my loyalty that way.

My concern is, in today's lawyer-driven world, would such language stand up in court? Couldn't an attacker (euphamism for plantiff's attorney, seemed appropriate with all of the security talk these days) argue that the instruction was overly vague?

work is a public place, with efforts directed to the goal of making money - simple, clear, though perhaps not ideal.
at work, privacy of the individual - as it relates to company resources used, time purchased from the employee - is nonexistant.
Perhaps the exclusion to this is an exception of company provisions that provide for certain "private" or "personal" use of company resources - using the telephone to make personal calls should not be recorded, checking one's Hotmail account should not be monitored or cached, but perhaps this activity should be voluntarily limited by the employee or restricted to formal "break" times. Defining "personal use" benefits sounds like where I would focus given the situation you describe.

Unfortunately, you pretty much need to have a statement that employees have no expectation of privacy at work. Not that you are ethically entitled to snoop at will, but legally you could end up in a very bad situation if the worst happens (e.g. renegade employee threatens world destruction, etc.) and you have not done this.

The most enlightened policies will combine this with a specific list of cases where monitoring may occur (e.g., where suspicion of illegal activity exists, etc.) AND specify what authorization is required to snoop. Perhaps require two separate executive individuals to authorize, say the head of IS and HR together.

You want to assure your employee that they will be monitored only for good cause, not because some e-mail admin is really bored or some manager is paranoid.

I was actually supporting searches at irregular times. If you are going to search at all, you might as well do it at odd times, otherwise it's going to be just like you described. (death threats from the supposedly smart user).-----

Setting specific times/dates for auditing effectively renders audits useless.By doing that, you are permitting people that have malicious intent in using the computer "outside the rules", because they can cover up their trails very very easily. The only people you're ever going to find "abusing" the system are the poor fellows who were doing things inadverdetly and weren't really paying attention to whether they were inside or outside the rules...

In other words, Joe Smith that is sending confidential info outside the company will cover up his tracks easily by only sending/receving funny email from 9:00 to 12:00 and always deleting whatever he gets, while Jane Doe will get busted because she viewed one-too-many GAP catalog pages (the limit was 50 and she forgot...) between 4 and 6...-----

Any policy which covers your ass is too invasive for most people to consider "fair", and conversely, a "fair" policy is ineffective. Since you're the employer, though, you get to dictate the rules and your employees can either put up with it or seek employment elsewhere.

Most employees understand that their privacy at work is not what they get at home. But the problem is that they do not know what is being monitored and what is not. If you review phone logs periodically, *say so*. If you do random nighttime inspections of desks and file cabinets, *say so*. If you have cameras in the bathrooms to find coke addicts, *say so*. Sometimes I think that employers get all excited about catching people "red-handed" that they forget that the real reason for these kind of measures is to *prevent* them. There are a few advantages to full disclosure:

1. Trust. Employees work better when uncertainty is at a minimum.
2. Self-policing. If you have a filter which logs every url I hit on the web, and flags inappropriate ones, I'm simply not going to go to those sites, which is the whole point in the first place.
3. Voluntary removal. Employees who can't/won't live with the restrictions may simply quit once they see the handwriting on the wall.
4. Early correction. If you don't disclose that you are logging all web activity, and you approach an employee who goes to an xxx site, suddenly everyone feels violated (it will get out quickly), starts worrying about what they were doing when they thought they were alone and you have a real morale and maybe legal problem. If you disclose what you are doing, then you can have the guy's boss say "hey, you know this stuff is logged, knock it off" and it isn't a huge deal.
-----------

It's a wonderful luxury as a non-manager, for someone to be able to say what a company should and shouldn't do. Most of the people the write here, while very intelligent, are not managers.

Your employees will respect you because you treat them well, and you prove yourself through actions. Not because of some silly handbook. Most the time it doesn't get read anyway.

You have to cover yourself. If you write the hand book to be a nice guy, and someone violates a law where you have not covered the company, the company is the one that is liable for it. The person that wrote the handbook gets fired, the company gets sued, and the employee doesn't really get what he deserves for violating a law on company time.

Like I said before, it's not what's in the book that counts day to day, it's how you actually treat the people who work for you.

It actually makes me feel bad when I think about the fact that companies actually NEED a privacy statement. Employees are the key reason companies have the opportunities for growth that they enjoy. Employees are the reason your company just closed a round of financing. Why on earth, would you have to define a privacy policy that was so complicated you needed input on it?
I think what you should do is have a staff meeting. Talk about respect, and how it works both ways, talk about mutual respect for employees privacy (completely, and utterly) and for employees to have respect for their company by acting and behaving appropriately while they have this freedom.
The world, and this country in particular is becoming a very over-regulated, here is our waiver, enter at your own risk, we're watching your every move kind of place and I think everyone in a position to make changes to alter that for the betterment of 'true' freedom, should use that position to initiate changes that will eventually lead to a better way of life.
If we don't, it is going to seriously bite us in the rear, and I'm sure eventually, a large group of people will just say "That's enough" and all hell will break loose.

Things like e-mail should remain private, barring some criminal investigation. If I ever found out that an employer was peeking at my e-mails, I would quit. Of course limits could be placed on large attachments, etc so that the network isn't stressed too much by the 50th forward of that salmon with bears commercial.
Things like web browsing should be open to monitoring.

I used to work for were regular readers as well. We would paruse/. daily looking for the keen anwers to the great many technical questions out there. Sometimes getting cought up in the usuall trolling that will inevitably happen. Did they get upset with us for this? Who knows. I guess it doesn't matter now. I don't work there any more. The project was finished.

Any way, I see/. as being a useful resource to flip through and find what you are looking for. It's like reading a local news paper. I don't care about all of the free 900# services at the back of the issue, more what I care about is found right where I look. The links from/. (freshmeat, OSDn, etc.) are all great resources. Let the people use at will. If they absuse, limit the usage. It's like any other news agency, there are pages to read on the job and pages to not read on the job. It all depends on what kind of job it is and depends on the appropriation to the job. Have at it.

Quite often that lawyerese turns out to be unacceptably vague when someone bothers to actually try to parse it. Like when a judge and a lawyer got together to define "sexual relations" in the case of a certain public figure accused of asking an employee for a blowjob, and wound up with a definition that arguably did not include blowjobs.

Plain English, well-written, is often more precise than tortured legal constructions -- and no one can reasonably argue that they did not understand it. And virtually any written regulation will include some vague areas; just don't go tromping on employee's rights when one of those vague areas is involved, and you'll never wind up in court about vagueness.

Though the need for an organization to protect itself legally is important the danger of offending employees could very well surpass the danger of a lawsuit. A difficult proposition because a legally effective privacy policy basically says: "we don't trust you" Talk about a blow to worker moral.
I am tempted to believe that an office full of unhappy employees is a bigger problem than one problem worker doing drugs. On the other hand recent work place violence suggests that a firm stance needs to be taken with violent (or significant) crime.

I read email for a major corporation. It's part of my job description that I didn't know about when I took the 'security' position I now hold. I find it distasteful, but necessary.

Have a good policy that covers who all needs to agree to read an employee's email (notification? consent? HR notification? approval? Corporate Counsel notification? approval?) before you start doing it, and stick to it.

My actions have helped get people fired who deserved to be fired for cause. My actions have defended innocent employees against unfounded accusations. Distasteful? Yeah, it still is. But each instance is reviewed by HR before I go forward with it. They don't ask me to touch employee email unless there's a good reason to expect that key information will be found there--and it usually is.

The rub is, of course, that according to the policies as outlined ("the rights" the coporation reserves), I can read anyone's mail for any reason at any time. One of the reasons I don't quit is that I'd rather not have someone who enjoyed this facet of the job doing it... With apologies to Douglas Adams "On no account should anyone who manages to intentionally worm their way into a position where they can read email actually be allowed to do it."

I'm not sure if the printing statement is too harsh. First, particularly in my field, the web is a research tool so we do need to use it and print content for the web for work related purposes. Secondly, if you have it in place that it's understood that web usage is similar to personal calls, then printing a page is similar to using office pens to write down info during a personal phone call on office paper; no printing period is too draconian. A good example, if I order something from an estore while at the office (say, WebVan for dinner tonight), I'm probably going to want a reciept of some time, so I'd print that out. One page, at most, no major drain when you know office memoes about the latest baby shower are printed on reams of paper.

Just state that personal printing from the web should be limited to a few pages, with no *color* printing, abuses will be handled on a case by case basis as necessary.

If you store or use your customer's data for ANY purpose other than the basic requirements of supplying logistics for THE TRANSACTION (provision of goods in exchange for money) - then you must keep that data private, and never use it for ANY other purpose.

Unless the customer specifically opts in to other programs like marketing research or whatever.

If you create a program where you sell an address list to another party, then the customer should be entitled to a share of the profits, be it.05 cents or whatever. Credit their account or something.

I work for a very very large computer company and our policy is very straightforward. Basically anything related to your work or work product or their equipment or dealings with other employees or any other party with a relationship to the company, primarily a financial one, is not private. You have no expectation of privacy. Does this translate to everyone is monitored? No. Just that there is no expectation of privacy. If there was something they wanted to go after they would on that basis alone.

As to an internal policy, I like the idea of limiting all intrusions to suspicion of illegal activity. Certainly, you should explicitly *exclude* from company interest anything people do on their own time. e.g., don't have a "drug policy". If someone's drug habit interferes with work, fire him for being a bad worker. If it doesn't interfere, what do you care?

I read recently (maybe on Slashdot) about how Dow Chemical laid off a bunch of employees for being involved in porn email, and I totally disagreed with this. I think, as a manager myself, that privacy is highly important. Privacy, closely related to security, is one of the key ingrediants in keeping up employee morale, however there are some drawbacks:

It's interesting that you would say that. But I have to tell you that because of the way the law is structured, it is very difficult to allow employees total privacy. For example, in the instance of e-mail security. If you tell employees that e-mail is totally private and we don't do any monitoring bad things can happen.

For instance, yesterday on Slashdot I read about some people who got busted for spamming people with an old newspaper ad scam that makes people beleive that they will be paid for stuffing envelopes in exchange for a, in their case a fee of 24 pounds. If they had used, say, your companies e-mail system to do the scam, then that would make *THE COMPANY* liable for damages (in their case it was something like 65,000 pounds they had to pay back). (Sorry, to lazy to insert a link)

The only way to avoid such things is to actually reserve the right to monitor. A reasonable company would only monitor when there was reason to believe that a problem existed (for example, when system logs point out that one user sent 6 million e-mails from his account. Ya gotta be just a LITTLE suspicious their:) but would choose to respect privacy in normal situations.

Ask them what they want - try to find solutions and compromises, then encode them into the manual to sign. If a democratic approach is taken, everyone should be happy.

Say everyone likes to listen to music, but they want a more personal selection. You may not want to allow streaming audio (or video) from the outside, due to security or bandwidth considerations. Maybe you could set up some kind of MP3 server, then (you must have a junk box somewhere, that you could outfit with a large drive). Everybody could place their MP3s on it, and share them around (rather than duplicating them on each desktop).

To CYA yourself legally, don't allow porn or warez. Codify it in the manual, but in practice don't actively look for it - but if it comes up (like say you're looking at a firewall log and you notice a reference to a porn site), privately speak to the individual - make it known that it won't be tolerated. If it is found again, let the person go. Even if it is the "higher ups" (esp. here - why should they get special treatment? - if you have someone on staff with enough skills he/she might be checking up internally without your knowledge of what managment is up to, as their own form of CYA - heh, heh).

One thing to codify in the manual - add a line that says that the policy will only change with written changes, to be signed by the employee (ie, updates), and finally - add a line the says something along the lines of "any rights/rules/actions/etc not explicitly described herein falls to the discretion/right of the employee" - kinda like how the Bill of Rights state the same falling to the States, and not the US Government (not that it is followed much today).

If they had used, say, your companies e-mail system to do the scam, then that would make *THE COMPANY* liable for damages (in their case it was something like 65,000 pounds they had to pay back).

By what reasoning? If I use my personal account to commit fraud, is my ISP responsible? If I use my phone, is Verizon responsible? If I make a threatening phone call from the payphone at the 7-11 down the street, is 7-11 responsible? If I send a harassing postal letter, is the USPS responsible?

The "standard disclaimer" - that opinions expressed in e-mail or USENET postings were not those of the employer who often provided internet services - used to be understood to be implied on all messages. When did that change?

Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:

fairly and lawfully processed;

processed for limited purposes;

adequate, relevant and not excessive;

accurate;

not kept longer than necessary;

processed in accordance with the data subject's rights;

secure;

not transferred to countries without adequate protection.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of 'obtaining', holding' and 'disclosing'.

This is so much more stringent than US models that until the recent 'Safe Harbour' agreement, it was not possible to transfer personal data from the UK to the US. Obeying this will enable you to gain 'Safe Harbour' status, yet it's not hard.

Tell your users:

Who you are

What data you're collecting

Why you're collecting it (for each data type)

How you're collecting it (for each data type)

Who you're intending to share that data with and why

Take more care with sensitive data (anything to do with health, money, beliefs or sexual orientation)

And you must, must, must give people an opportunity to opt out of any data uses which are not absolutely central to the operation of your service. Actually, an opt-in is better - Seth Godin explains why [amazon.co.uk] (fair warning - Amazon Associates apply; circumvent if you feel the need).

Good code needs only a bare minimum of "extra" documentation (except where your language syntax is totally bizarre & counterintuitive, or if your algorithm is something derived from a crazed CS grad student's thesis).

I can't count the times I've run into "documented" code, where the documentation completely misdescribes what the code is doing.

How about a policy that states that the management reserves the right to monitor and/or search computers, desks, and electronic transmissions in cases where there is a real possibility of wrongdoing.

Basically, we won't do anything unless we have a good reason, but given a reason, we can do what we want. I like the suggestion I saw, about 2 managers having to sign off on the action, and at least 1 witness being present for all searches.

This isn't too difficult. Make 'employee investigation' something that requires the employee's supervisor and Department Head or Senior Manager (if the Dept. Head is also the supervisor) to invade the employee's privacy. What this essentially does is prevent a supervisor from becoming a petty tyrant by forcing him/her to go to his/her boss. This also follows a basic rule of searching for evidence. If it is time to file a report, two accounts are better than one.

The other hidden result is Senior Management tends not to like to play around and will get annoyed if a supervisor is asking every other day to read someone's email.

This is a good point. Define the circumstances that will trigger monitoring. What defines the 'need'. I'm not saying give a How To Avoid Being Monitored brochure to the employee, but clearly state that reports of harassment, lost productivity, illegal activities will be causes for privacy invasion.

Best of all, though, is inform the employee the search is being made. None of this 9:00pm, all the workers have gone home, lets rustle through his stuff tactics. If there is an issue, then inform the employee and take care of it then and there. Again, I'm not saying give the employee enough notice to hide his tracks, but treat the employee like a human being who has rights and feelings.

I disagree. If my email address is schmuck@company.com, that 'company.com' implies it is the company's email. Now if I was running a gun bazaar using that email address, then Company could easily be held liable for my usage, especially if they don't have a policy in place to stop illegal activities. The case may be thrown out, but it wouldn't stop the lawsuits.

I like an earlier suggestion on making sure the employee has access to his/her personal email account from work (sort of like allowing the employee to access his/her personal voicemail from a work phone.)

We respect your privacy and will make every effort not to monitor you, but we reserve the right to do so.

All this says is that you will do whatever you want to do. When it comes down to it though, privacy policies are all just words, and they only exist to appease the ignorant.

My advice: just save some time and "borrow" somebody elses. Of course in this day and age that's probably a copyright violation. So instead, take somebody elses, read it, get the basic ideas, and rewrite it in your own words (cleanroom implementation). Or to save time, just let the VC's write it. If there's something really horrible in it, it'll end up on/. for review anyways.

No matter what the case, they aren't read by most people, and they aren't adhered to by the companies that write them, so does it really matter? It's not like you're going to get some revolutionary that you'll be applauded for if VCs are involved.

I went back and looked at our handbook and there are 4 separate privacy issues we addressed when we wrote it.
1) Confidentiality of employee records, background checks, and medical history.
2) Email policy
3) Drug testing and alcohol use
4) Somewhat unrelated, but still applicable is the company non-disclosure policy.
Send me an email at mailto:owlmeat@hotmail.com and I'll send some of the stuff to you.

I see with your point, and I agree for the most part, however I do think that a "company" employee sending bad mail of some kind, or performing illegal actions, can be turned on the company, or at least cause suspicion and investigation. I strongly disagree with the ethics (and logic) in this, though, I think that my actions are my own, and not the person who's internet I am using, but I do think that in todays court system, with the popoluar vote looking both in supsicion and dismay at the internet, companies can still be held liable, even if they can prove they are not at fault.

(i.e. the same idiots that grant patents are probably the ones that sit on jury's and preside in courts.)

I think you're right! Companies should "reserve" the right to monitor email, especially in larger companies. What I wanted to convey, though, (even if I didn't come close) is that it all depends on the level of trust between the managers and the employees. When I was growing up, my parents never snooped through my bedroom, even though they had every "right" to, according to the law, but they had no right to according to our personal law. They knew that if they invaded my privacy so grossly as that, then our relationship would be drastically affected, and in a company I think things are much similar. If the employees are continually and openly monitored without provocation, you'll see the trust level drop immediately. But if they feel safe, important, trusted, I think you'll gain their loyalty and their good behavior, if not exceptional.

Side note: I should point out that there are levels of who and how much to trust. The less experienced and responsible and employee is, then there should be more monitoring of them. If the rules are set out, though, and the employees know there is a "chance" of being released for bad behavior, anybody that's being paid a decent amount, particularly in profit sharing, then they won't risk it.
(I'm rambling, I'll quit while I'm ahead)

POLICY FOR EMAIL AND OTHER COMMUNICATIONS
Company employees have access to electronic communications services, such as Email and the Internet. You are encouraged to use them for company business. You are asked to keep personal use to a reasonably low level.
It is not Company policy to regularly monitor communications. However, The Company provides them for business purposes at its own expense, and is the ultimate owner of all associated data. On occasion, The Company has legitimate business reasons to access Email information and other communications data in its archives, and The Company reserves the right to do so.
In other words, nobody here even remotely wants to routinely read your mail. All the same, keep in mind that Email and other communications at The Company are not necessarily private and might be seen by other parties.
Today, it is easy to access information that some people find extremely offensive, and so is not appropriate material for a business setting (certain Web sites for example). Intentional access of such inappropriate material on company time or company property is unacceptable and may be grounds for dismissal.

Venture capital is a necessary evil, but that doesn't mean you have to let it completely run your life. Most of these sorts of lawsuits are bogus anyway, so you can safely assume you'll win if they ever come up. Therefore, the only thing you have to do is allay the psychosomatic fears of your VC cows, most effectively by lying at the meetings. Since they never actually visit the company headquarters, they'll never know the difference, and since productivity will be up because your employees will view you as the "good guy", the VC folks will be happy on two fronts. You just can't lose.

You have a basic right to protect yourself, investors, and employees. By having the "handbook" you will cover yourself. I don't think that anybody's going to care if you read there e-mail, as long as you tell them that your filtering software will look for certain things. Also you should advise top management that certain departments e-mails will be reviewed for insider information and or non-public information.

I think, I would be a bit stern/harsh with my own rules. I would want to protect my firms assets at all cost. My co-works are to important to me, and if somebody is trying to take something away with them that could ruin our firm I will put a stop to it.

Also you should increase the company benifits, Try having counseling ( mental ) and family benifits. everyone will notice that you do realy care and they will look at the handbook as there bible to protect the firm.

I've found that what separates most companies in terms of their privacy is how well _they_ follow it. The policy might look nice on paper, but is meaningless if you don't make an effort to actually follow it.

All those legal disclaimers is there for a reason. Forget something little, and it could be the grounds for a lawsuit against your company. Being too friendly is not good because it can open loopholes against your company.
Do I like it? No, but its a litigious world. People will sue for whatever reason they can to make money. Dont give them the opportunity to hurt and ruin your company.
The problem with setting rules in some legal disclaimers stating when you will inspect it -- and you dont follow it and violate it in a small way, it could be grounds for someone to sue you saying the search was not legal and in compliance with the policy. So keeping it broad is sometimes best for the protection of the company, even though nobody likes it. Otherwise, youre putting your company at risk.
Is it worth it? Sometimes I think its better to protect your rear, and use it to your advantage when the issue comes up, rather than finding you forgot a little "clause" and getting screwed for it.

As long as I can remember privacy policies have been of the nature that "We don't want to watch you, but if we need to we will." What everyone seems to leave ambiguous is what constitutes the need to monitor someone. Perhaps defining this a little further will help. You could say something to the effect of "Monitoring is constituted, but not limited, by the following reasons: harassing other users, breaking the law..." You want to give the users a better idea of your goals without tying your hands.

Unfortunately, if the company owns the network, they pretty much have full say on what is "legitimate usage" or not, so crafting a privacy policy without giving heavy weight to the company is almost illogical. (E.g. I don't allow my little brothers and sisters full access to my machine because I own it. If they were to come in and say "we should have complete privacy on your machine" I would probably laugh at them).

I would recommend setting boundaries of when the company can look at the private emails of their users, what sites they visit, etc., instead of just setting what. All too often a business or school will be croning files randomly and pick up on a disturbing usage they wouldn't pick up on normally.

They should have set rules as to when these searches should be permissable, given just cause (like a search warrant). Despite the fact that they own the network, employees shouldn't feel comfortable with a privacy policy that allows usage searches 24/7.

Yep, you need a privay policy (as part of the employees manual) since you guys are undoubtedly stepping into the sharks pool. Congratulations, btw...

I truely believe that honesty in all dealing between employer and employee is of paramount concern, this affects all policies regulating employee (and employer) conduct.

If you can lay your hand on a Digital Equipment employee handbook from the beginning of the nineties, that can provide you with good ideas about - what I believe - fair and open communication. Of course it requires adaption in the age of downloading pr0n and filling 60% of the disk capacity with MP3s.

The tricky issue is that you guys have to cover your backs, because if you grow and there's money floating around, somebody will sue.

I'd recommend a top-down approach. I.e.

Set the ground rules in employees dealing with each other and communicating with outside entities. Emphasize an environment of common sense and trust

Go into the tools. Mail, web, phone, company letterheads, public statements. The focus should be on self responsibility

Detail the dos and dont's for each form of communication. Try to keep it liberal. I.e: we don't really care if you fire of a private e-mail or surf/. while munching a sandwich. Make it clear however, that you expect that performance doesn't suffer. Explain why certain control measures are not to be avoided (protection of trademarks, company secrets, legal threats)

If you monitor, be very explicit about the tools you use and the data which is monitored and why. Explain what data is stored for how long and how it will be analyzed.

Make consequences for abuse crystal clear

Grant certain rights to the employees. I.e. open door policy (and stick to it), escalation pathes in case of management abuse, the right to browse/. while munching a sandwich (ok, maybe in more general terms)

Emphasize mutual respect and personal responsibilty

Be very specific and unambigeous regarding the wording, and

unfortunately, have it tripple checked by legal and lawyers

Again, be fair in treating your employees and vice versea. This should be reflected by the manual.

"If we think someone is keeping a gun in his desk, we want to be able to check it. If someone is harassing people from our email system, we want to be able to verify it. What I don't want, however, is the creation of a police state..."

Wow, it's like you specifically crafted these three sentences to be one of those "famous last words" things.

You can't BOTH have the power to search anyone's desk/computer at any time AND claim they have any privacy. Especially since your two examples already lead us very far down a very slippery slope. "Might be planning murder" to "might be sending nastygrams" leads very easily to "might be looking for another job" and "might be about to blow the whistle".

Here's a privacy policy: We keep the hell out of your stuff. If you break the law, on your own head be it, we assume no responsibility.

Alternatively, you could have an extremely draconian policy--for people who choose to work in the building. Then have an anything-goes policy if you work from home.

BTW, to people who side with the suits and say "but this stuff belongs to company"--shut up, already. The food in the cafeteria belongs to them too, but I'm allowed to bring the waste products home. More to the point, if I am a net drain on the company's resources, the solution is to fire me and hire someone who is a net producer. It's a lot simpler AND fairer.--MailOne [openone.com]

I read recently (maybe on Slashdot) about how Dow Chemical laid off a bunch of employees for being involved in porn email, and I totally disagreed with this. I think, as a manager myself, that privacy is highly important. Privacy, closely related to security, is one of the key ingrediants in keeping up employee morale, however there are some drawbacks:

One way to increase privacy and not affect company stature is to be more performance based rather than methods based. If your employees are meeting their expected goals and deadlines, than they most likely need little, if any, watching from your managers. There will always, of course, be certain issues that will need direct management control, such as porn, illegal activities, or bad customer service, but I believe there are many ways to combat these issues without jeapordizing the loyalty of your employees.

Fight the lawyers over the wording - they want it in their vernacular, you need to ensure it's simple & clear.

Accept that you're going to have to reserve all rights as broadly as possible. Yes you'll likely never spy on someone or snoop their email but you might have to someday & you need to make this possibility clear up front.

Spend an hour with your buddies dreaming up scenarios where you might need to do these actions and plan for them now. Again, you'll likely (hopefully) never need to do any of these but you have to make provisions for the possibility now.

The most basic rule is if it is done on company property or on company time or with company resources the company reserves all rights it can to viewing, recording, and using such.

Lots of/.'ers will recoil at this but I bet if they're employed by a publicly-listed company most will find the same basic tenants in their own employee handbook (please don't post your own unique circumstances - I said "most" & "publicly-listed". Yes there is the option of self-employment and there are unusual circumstances etc. but that's not really the topic.)

Bring the existing employees in on the planning. Don't surprise folks. Keep key figures involved in the evolution so it won't be a surprise. If folks learn along the way the why's of the policies and have their input sought, repected & used then they'll respect the policies and the company and share this confidence with others.

Strongly consider getting in an expert on this sort of thing - not just a lawyer who's first instinct is to cover your ass as much as possible but a seasoned HR-type who you folks like & respect and get their input. Listen to them about what is really important to you, to your employees, and presumably to the VC's who are mandating this.

Finally, look at the nearly-final product and decide if you'd want to work for the company you're creating. If not then start editing.

Employer (former) was concerned an executive was getting ready to jump ship - and was going to walk with a lot of our propriatary information.

A few weeks previously I'd shocked the VP's when they asked about recovering a piece of email when I pointed out it was all backed-up on tape and that I had full access to *everything* (current and archived.) Apparently they'd never put together the implications of my being Sr. Net Admin & being a backup Postmaster, etc.

I'd then pulled some old tapes and gone (with permission) into the execs old email then run a few keyword searches for the password he'd forgotten (don't get me started - they really were a clueless lot... Brilliant in their fields but just sooo out of their depth with the technology in front of them.)

Anyway, I got them to put the snoop request in writing (cover my ass) then got the CEO to countersign it (yes a multi-billion-dollar corperation and he was a great guy; approachable and sharp.)

Duped the subjects email account (don't want to break anything by both of us being in it) and then, with a couple VP's looking over my shoulder, ran a few searches.

Not going to tell the results (irrelevant) but yes, we had authority to do what we did and yes, it was necc. How'd we have authority - cause the employee's handbook said we did (and heavily vetted by Legal) & regular memos reminded folks.

Did we publicize any of this? No. No no no. If the person had been not playing nice (again, not telling) then he'd have been locked out of all accounts ASAP, everything sequestered, and the next day the CEO would have met him at the door, accepted his resignation (form happening to be handy along with the head of HR and a few lawyers) and handed him his last (fat) check.

Word around the company: none. Gone - no comment, wish the best in future endeavors. Why? Well, one he could sue for word getting out (yeah yeah yeah the truth but that's a lot of legal bills later...) Two we didn't need to spook everyone and make them so paranoid that folks just couldn't work. Three - less problem. Most places operate on the path of least resistance and my former no less. If they could get away with just having stuff happen in the background so much the better.

So, the short of it is that no, I don't agree with your 'open' policy. Folks knew ('bout everyone but the VP's it seems) that stuff was an open book and just assumed that my staff had better things to do then read their email. They were of course right, but yeah, there were times where we did go into email and web logs, etc. under direction. Would have publicizing any of this served any purpose? Not really. Few would have understood it, most would have assumed we weren't telling all, and it would have been problematic to implement.

Couldn't an attacker (euphamism for plantiff's attorney, seemed appropriate with all of the security talk these days) argue that the instruction was overly vague?

Well they could, but it probably wouldn't be terribly effective. As technical as lawyers are portrayed, in reality judges and juries are pretty unforgiving of people who fail the "reasonable person" standard. If a resonable person would understand that the contract said such-and-such, then that's the standard you'll be held to (even in some cases where it turns out the contract wasn't even valid, it was the belief of both parties that it WAS valid that made a contract).

Recent cases have, in fact, been leaning the other way -- people getting out of contracts because they were too complicated and impossible to understand, because you cannot enter into a legally binding agreement voluntarily if you don't understand it. There has to be a "meeting of the minds" and if the contract is so complex as to be impossible to understand, you can't possibly agree to it...

XXXXXX understands how central computers have become to each employee¦s work-day. Much as it has become acceptable for employees to use their phone for personal calls on their break or lunch hour, there are certain acceptable personal uses for your desktop computer. These include:
A reasonable number of personal e-mails
Web-browsing or other Internet activities
Writing personal letters

These acceptable uses are modified by the following restrictions:
Web browsing should be limited to sites appropriate for a business environment, particularly in view of the conduct policies listed above.
Downloads must not include copyrighted materials of any kind without the copyright holder¦s permission.
No printing of web content, letters or envelopes on Office printers.

Failure to follow these terms may result in disciplinary action.

Acceptable use may result in an employee¦s personal files, or records of personal activities, residing on the computer system. Employees should keep in mind that the Systems Administrator might need to access a particular computer for maintenance or security reasons. The Office reserves the right to access any computer or file at any time for official purposes. Every effort will be made to preserve the individuals users privacy. No files on an office desktop system should be considered secure or confidential.

While it is technologically possible to track each employee¦s personal use of the computers, it is the policy of the office not to monitor the file access or keystrokes of its employees. Review of system logs and other computer records may take place only after an allegation of misconduct has been made.

>>>>>>>>>>

The restrictions on printing, etc. are due to the fact that this policy is for a public office, the materials, paper, toner, etc. are therefore intended only for official use, and it would be irresponsible/illegal to allow private use. The same arguement might be made for your responsibility to shareholders, but I would generally allow some limited use of office materials.

Look, we understand as employees that what you're saying is true, that you have to cover your own ass. What bugs me is the terms of service kind of legalese that is so over the top that it is literally offensive.

Why not write an employee handbook like Borland used to do software licenses? They used plain language, and explained WHY they had limitations in place, not just a bunch of legal jargon. It is no less legal because it's written in plain English.

You say yourself, "we think someone is keeping a gun in his desk, we want to be able to check it. If someone is harassing people from our email system, we want to be able to verify it. What I don't want, however, is the creation of a police state (be it on paper or otherwise)". That sounds great -- why not just flesh that out as a policy statement?

You really don't have to say "The party in the first part abrogates all claims and reservations for privacy and security of his person, belongings, personal space, and equipment". That's how lawyers write, but you can actually have a legally binding agreement that says "We pay for office equipment and have liability for your actions at work, so you need to know that we do have the right to check your computer or desk. We don't want to do it, but you know as well as we that there's always some nutball with porn on his hard drive, and we don't want to lay you off because we've gone bankrupt from a sexual harassment lawsuit".

It's actually pretty simple: make the handbook say pretty much what you're saying here. You want to preserve your rights, while providing some assurance that you won't routinely spy on your employees "just in case". Perhaps something like this:

The company reserves the right to monitor or search all company property and equipment if improper or illegal conduct is suspected. However, all such monitoring or searching will be performed with at least one witness or explicit written instruction from at least two managers.